Sony hack

FBI memo warns of malware possibly linked to hack at Sony Pictures

sony headquarters
Credit: REUTERS/Yuya Shino

Insiders who have seen the memo believe the timing is no coincidence

A Flash Alert issued by the FBI on Monday is warning those within its distribution circle about a type of malware that has the ability to destroy any system it infects. The memo, #A-000044-MW, was obtained by Salted Hash from a source that wishes to remain anonymous.

Those who have seen the memo, including the group where it was first shared, are speculating that it's related to the incident at Sony Pictures.

The speculation is based in part on the recent theory that North Korea is behind the attack on Sony Pictures due to possible outrage over the movie The Interview, and the malware's resource section, which uses the Korean language. Moreover, similar malware was used in attacks on South Korea in 2013.

In both cases - South Korea then, and Sony Pictures now - the malware forced the victim's networks offline according to local reports out of Korea and Sony's own employees.

While pulling the plug and shutting down systems is usually frowned upon during an active incident, administrators targeted by this malware have little choice. Given its nature, it's likely the only option available to Sony when the attacks started last week was to disable access to anything with an IP - or watch as the device is infected and erased.

This theory somewhat corroborated by employee reports last week, stating that VPN and Wi-Fi access was disabled almost immediately after the incident started.

The FBI says that the malware will make it "extremely difficult and costly, if not impossible, to recover the data using the standard forensic methods."

Once installed on the victim's system, by way of a malicious email attachment in most cases, the malware – called a wiper in some circles – will initiate a beacon and phone home.

The malware described by the FBI relies on hardcoded IP addresses (C&C servers) in Italy, Thailand, or Poland, and connect them on either port 8080 or 8000. The malware will attempt to make connections every 10 minutes to each of the IPs. If that fails, a two-hour sleep command is issued, after which the computer is shutdown and rebooted.

The memo warns that once the beacons start, the process of wiping the files has begun.

Again, while it is believed that the FBI memo is discussing malware related to the Sony Pictures information, it doesn't mention them directly. Yet, the timestamps on the malware itself are aligned with the attack on Sony's network (22-NOV and 24-NOV respectively).

The FBI would not comment on anything related to the Sony incident. The only certainty is that the Los Angeles Field Office is looking into the matter.

Reacting to the news that North Korea is behind the attacks, a person claiming to represent GOP told Salted Hash:

"We are an international organization including famous figures in the politics and society from several nations such as United States, United Kingdom and France. We are not under direction of any state.

"Our aim is not at the film The Interview as Sony Pictures suggests. But it is widely reported as if our activity is related to The Interview. This shows how dangerous film The Interview is. The Interview is very dangerous enough to cause a massive hack attack. Sony Pictures produced the film harming the regional peace and security and violating human rights for money.

"The news with The Interview fully acquaints us with the crimes of Sony Pictures. Like this, their activity is contrary to our philosophy. We struggle to fight against such greed of Sony Pictures."

The GOP released another batch of stolen documents on Monday. The 25GB file dump is said to represent just a fraction of the data that was taken for Sony.

In related news, Sony said they've hired Mandiant to help with recovery and incident response. FireEye's forensics unit is said to have started work over the weekend.

Insider: Survey: With all eyes on security, talent shortage sends salaries sky high
View Comments
Join the discussion
Be the first to comment on this article. Our Commenting Policies